When an NSG is associated to a subnet, the rules apply to all resources connected to the subnet. Traffic can further be restricted by also associating an NSG to a VM or NIC.

Associating NSGs

You can associate an NSG to VMs, NICs, and subnets, depending on the deployment model you are using, as follows:

VM (classic only): Security rules are applied to all traffic to/from the VM.

NIC (Resource Manager only): Security rules are applied to all traffic to/from the NIC the NSG is associated to. In a multi-NIC VM, you can apply different (or the same) NSG to each NIC individually.

Subnet (Resource Manager and classic): Security rules are applied to any traffic to/from any resources connected to the VNet.

You can associate different NSGs to a VM (or NIC, depending on the deployment model) and the subnet that a NIC or VM is connected to. Security rules are applied to the traffic, by priority, in each NSG, in the following order:

Inbound traffic

NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet is dropped.

NSG applied to NIC (Resource Manager) or VM (classic): If VMNIC NSG has a matching rule that denies traffic, packets are dropped at the VMNIC, even if a subnet NSG has a matching rule that allows traffic.

Outbound traffic

NSG applied to NIC (Resource Manager) or VM (classic): If a VMNIC NSG has a matching rule that denies traffic, packets are dropped.

NSG applied to subnet: If a subnet NSG has a matching rule that denies traffic, packets are dropped, even if a VMNIC NSG has a matching rule that allows traffic.

As most items in Azure there are Limits to the number of NSGs you can have in a subscription and number of rules per NSG. To learn more about the limits, read the Azure limits article.

Creating a network security group (NSG) is easy you can do this in the portal or with Powershell

As I mentioned above you can set the network security group (NSG) on a subnet or VM. Add multiple items in a network security group (NSG)

By default all is set to basic just pick a service and open or close the port.

But when checking the Advanced option the Rule pane will change into a rich and flexible option menu.

Instead of selecting just a service You can also add a IP range to exclude others for accessing this machine.

Setting this in the GUI is nice but when you need to change or add a lot of these you will need Powershell or ARM templates.